Overview

overview

10

Static

static

3

02afeb0f5e...8e.exe

windows7-x64

10

02afeb0f5e...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    41s
  • max time network
    82s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 05:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02afeb0f5e086fc30e54c6c71e057767b6defac6a8a847ebd480841947000e8e.exe

  • Size

    246KB

  • MD5

    8735cbaed433fa736367df42f31cf39e

  • SHA1

    2dabc520646145fcf967e697e9e17c67a19fd7e9

  • SHA256

    02afeb0f5e086fc30e54c6c71e057767b6defac6a8a847ebd480841947000e8e

  • SHA512

    ca0fdaffd1b449de0f115a715bd10345b43533d5bc270d83197affce85ec64c382b99b30db99a16ec46fbf8066b2cca006a676b0176423113d13af0b683ca78c

  • SSDEEP

    6144:L+z4SHy5uoBMFGV5PEkIXEHvZAOCIL39Vs0BC+:FCmuoBMUOMxNPs0BC+

Score
10/10
healersmokeloaderbackdoordropperpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\02afeb0f5e086fc30e54c6c71e057767b6defac6a8a847ebd480841947000e8e.exe
    "C:\Users\Admin\AppData\Local\Temp\02afeb0f5e086fc30e54c6c71e057767b6defac6a8a847ebd480841947000e8e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 144
      2⤵
      • Program crash
      PID:568
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2116 -ip 2116
    1⤵
      PID:4624
    • C:\Users\Admin\AppData\Local\Temp\FEA3.exe
      C:\Users\Admin\AppData\Local\Temp\FEA3.exe
      1⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hJ1gw5OZ.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hJ1gw5OZ.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2436
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hU0Wl7Sv.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hU0Wl7Sv.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:368
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Uf1Cb1Rx.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Uf1Cb1Rx.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4320
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qN8sK0XI.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qN8sK0XI.exe
              5⤵
              • Executes dropped EXE
              PID:4044
    • C:\Users\Admin\AppData\Local\Temp\FFEC.exe
      C:\Users\Admin\AppData\Local\Temp\FFEC.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
          PID:3036
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 204
          2⤵
          • Program crash
          PID:3188
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4536 -ip 4536
        1⤵
          PID:816
        • C:\Users\Admin\AppData\Local\Temp\8A.bat
          "C:\Users\Admin\AppData\Local\Temp\8A.bat"
          1⤵
          • Executes dropped EXE
          PID:4212
        • C:\Users\Admin\AppData\Local\Temp\1F3E.exe
          C:\Users\Admin\AppData\Local\Temp\1F3E.exe
          1⤵
          • Executes dropped EXE
          PID:2508
        • C:\Users\Admin\AppData\Local\Temp\23E3.exe
          C:\Users\Admin\AppData\Local\Temp\23E3.exe
          1⤵
            PID:1524

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\1F3E.exe
            Filesize

            446KB

            MD5

            7f286c17a2853b519866dd288d04a795

            SHA1

            3fd6ded09cc0a97556fcef4f8b95e9bd62fe02e5

            SHA256

            76b62f0049b78937c027c3731ecf81e2ff1cbfdff9208a419b77f6edf13d5dea

            SHA512

            9aca621b67466a9c167913fccd4064adc8407ae02af83abee542c40b192f8d1b7e80f4dd2855796d9d423f8618f96b348ff7965c297459868f236c937e42d4eb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\23E3.exe
            Filesize

            21KB

            MD5

            57543bf9a439bf01773d3d508a221fda

            SHA1

            5728a0b9f1856aa5183d15ba00774428be720c35

            SHA256

            70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

            SHA512

            28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\8A.bat
            Filesize

            97KB

            MD5

            664526a22d43fb816b2630ff4ee69284

            SHA1

            7c5063d0e765c726f0dab156b7a3579e162681c9

            SHA256

            ad61ecd6964cb46911a975695e6d6e8de3f06e9325ff4eb06f3b3f9cd87005cc

            SHA512

            d0d6d2d7a0b2638c1b87020e2868fccc5e21295a2c9e39e40c85dcb4a3998e7f8c04b5f5fdd326d35b9fe90a89048f27dbfd115aeb358ec8e5b0015c19f8e325

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\8A.bat
            Filesize

            97KB

            MD5

            664526a22d43fb816b2630ff4ee69284

            SHA1

            7c5063d0e765c726f0dab156b7a3579e162681c9

            SHA256

            ad61ecd6964cb46911a975695e6d6e8de3f06e9325ff4eb06f3b3f9cd87005cc

            SHA512

            d0d6d2d7a0b2638c1b87020e2868fccc5e21295a2c9e39e40c85dcb4a3998e7f8c04b5f5fdd326d35b9fe90a89048f27dbfd115aeb358ec8e5b0015c19f8e325

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\8A.bat
            Filesize

            97KB

            MD5

            664526a22d43fb816b2630ff4ee69284

            SHA1

            7c5063d0e765c726f0dab156b7a3579e162681c9

            SHA256

            ad61ecd6964cb46911a975695e6d6e8de3f06e9325ff4eb06f3b3f9cd87005cc

            SHA512

            d0d6d2d7a0b2638c1b87020e2868fccc5e21295a2c9e39e40c85dcb4a3998e7f8c04b5f5fdd326d35b9fe90a89048f27dbfd115aeb358ec8e5b0015c19f8e325

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\FEA3.exe
            Filesize

            1.2MB

            MD5

            de528e38ab73dc1c1aacfeaa026ba2a6

            SHA1

            830c898861108d755c6a1c1bb7cea8733f097dea

            SHA256

            75e29afd9659967f239cad52662bfd540d98aedf83dcb8fe1e9446fedb60a3a0

            SHA512

            5b09b9b42729150bd6dfb0d49d144ddd2894aac2babbd41e2b69a664c038e2d2fbe4944c9f6d020a0b6abf2a65bcfeb03b7069a3e68f25680b9e9f5da2a2f630

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\FEA3.exe
            Filesize

            1.2MB

            MD5

            de528e38ab73dc1c1aacfeaa026ba2a6

            SHA1

            830c898861108d755c6a1c1bb7cea8733f097dea

            SHA256

            75e29afd9659967f239cad52662bfd540d98aedf83dcb8fe1e9446fedb60a3a0

            SHA512

            5b09b9b42729150bd6dfb0d49d144ddd2894aac2babbd41e2b69a664c038e2d2fbe4944c9f6d020a0b6abf2a65bcfeb03b7069a3e68f25680b9e9f5da2a2f630

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\FFEC.exe
            Filesize

            407KB

            MD5

            3c88c40f5f997396135145483b546833

            SHA1

            0e7fcdd62b420b07c39f76b4e5f54f3928e99e0f

            SHA256

            241d65ae04d4caa8fb3819e04d4000d6344a55e594c02454d9b4e85a63a1a7af

            SHA512

            f57334972125574ef47ede4b68595cd98848ef0f9f3da87c156732cdac97ac628992f8e8b90997a1acbb69f107450bb6499b8ffbc3da5c6bf6d0c6e42a0a4301

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\FFEC.exe
            Filesize

            407KB

            MD5

            3c88c40f5f997396135145483b546833

            SHA1

            0e7fcdd62b420b07c39f76b4e5f54f3928e99e0f

            SHA256

            241d65ae04d4caa8fb3819e04d4000d6344a55e594c02454d9b4e85a63a1a7af

            SHA512

            f57334972125574ef47ede4b68595cd98848ef0f9f3da87c156732cdac97ac628992f8e8b90997a1acbb69f107450bb6499b8ffbc3da5c6bf6d0c6e42a0a4301

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hJ1gw5OZ.exe
            Filesize

            1.1MB

            MD5

            dbc1145250cba09b7cc13236592771a3

            SHA1

            2e73af8d49c5be6c491ed6db0f9958dd5f5b2209

            SHA256

            aa7ec0746e04e9435c9b7128966e72a54b2ced1740dc4344e561fd15cfb5be0e

            SHA512

            dfe90b3cc0ae845e5bb1cd50408b42ad3222ff6f65262d7c1f4a200f4894b1dcd7cf28ce88a6b6401bdefa8eba5fd74838af5614be12b3d13a8000f1283403a0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hJ1gw5OZ.exe
            Filesize

            1.1MB

            MD5

            dbc1145250cba09b7cc13236592771a3

            SHA1

            2e73af8d49c5be6c491ed6db0f9958dd5f5b2209

            SHA256

            aa7ec0746e04e9435c9b7128966e72a54b2ced1740dc4344e561fd15cfb5be0e

            SHA512

            dfe90b3cc0ae845e5bb1cd50408b42ad3222ff6f65262d7c1f4a200f4894b1dcd7cf28ce88a6b6401bdefa8eba5fd74838af5614be12b3d13a8000f1283403a0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hU0Wl7Sv.exe
            Filesize

            921KB

            MD5

            06ab822c85453c5c039872f8a8b905db

            SHA1

            2b181272d3bbed439a54471d3876af9aff9e3313

            SHA256

            2f1996fc4d003560402b27366305ae34aba2be80ceb9d5134d1808f6aec82dd8

            SHA512

            2be9e58b0ca3bf0c0b4b83c9200a095f76686c9227fcb5258d1f8cb758ae4dace4c05c3190d19c1f52b26f9fb064b85045463c85461ac14802a729bc0b57ddb3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hU0Wl7Sv.exe
            Filesize

            921KB

            MD5

            06ab822c85453c5c039872f8a8b905db

            SHA1

            2b181272d3bbed439a54471d3876af9aff9e3313

            SHA256

            2f1996fc4d003560402b27366305ae34aba2be80ceb9d5134d1808f6aec82dd8

            SHA512

            2be9e58b0ca3bf0c0b4b83c9200a095f76686c9227fcb5258d1f8cb758ae4dace4c05c3190d19c1f52b26f9fb064b85045463c85461ac14802a729bc0b57ddb3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Uf1Cb1Rx.exe
            Filesize

            632KB

            MD5

            0ba56547c25707a420eb1feb427698e7

            SHA1

            8533c05452e3fdd95a9ec3ecfbf1e5795e692c17

            SHA256

            3c4ae77b8a1b1be0df1e43ec47b03d7ab3f24af69f020d03c362045f514f983c

            SHA512

            c8e87878414ece0482d8520f8b0f05341abdf301347f2cd02a3694a03799bfc192ad29670bffe6ef0f39f53220ef8652f5464942ce3b05c8f9d7b567b50e566f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Uf1Cb1Rx.exe
            Filesize

            632KB

            MD5

            0ba56547c25707a420eb1feb427698e7

            SHA1

            8533c05452e3fdd95a9ec3ecfbf1e5795e692c17

            SHA256

            3c4ae77b8a1b1be0df1e43ec47b03d7ab3f24af69f020d03c362045f514f983c

            SHA512

            c8e87878414ece0482d8520f8b0f05341abdf301347f2cd02a3694a03799bfc192ad29670bffe6ef0f39f53220ef8652f5464942ce3b05c8f9d7b567b50e566f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qN8sK0XI.exe
            Filesize

            436KB

            MD5

            ae16ac37ee8acfad8ed099bf482b1368

            SHA1

            dbd4a04f10d2e81813cf64fb1ce4c05d198da6ba

            SHA256

            f9df5e062a76944c849bb8b988e4ecbfc2c4ce30b8882050619c6b15f29ad81a

            SHA512

            d4419b89566051e541509611c3f4305900edc53a15b6ff7b3faa17b84c784eb796662810bcfa873ba077e598c4bc561cd51db86420993739c22348e7dec9442a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qN8sK0XI.exe
            Filesize

            436KB

            MD5

            ae16ac37ee8acfad8ed099bf482b1368

            SHA1

            dbd4a04f10d2e81813cf64fb1ce4c05d198da6ba

            SHA256

            f9df5e062a76944c849bb8b988e4ecbfc2c4ce30b8882050619c6b15f29ad81a

            SHA512

            d4419b89566051e541509611c3f4305900edc53a15b6ff7b3faa17b84c784eb796662810bcfa873ba077e598c4bc561cd51db86420993739c22348e7dec9442a

            Download Submit

          • memory/112-0-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/112-5-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/112-1-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/3036-40-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/3036-39-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/3036-38-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/3036-37-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/3180-2-0x0000000002A00000-0x0000000002A16000-memory.dmp

            Filesize

            88KB

            Download